What does being a “security professional” have to do with security?

Yesterday I read this article on CSO Online entitled “7 Ways Security Pros DON’T Practice What They Preach.” I knew by the title that I was going to have issues.  Information security is about the confidentiality, integrity and availability of data NOT job titles.  This is like pointing out oncologist doctors who smoke or law enforcement officers who get speeding tickets.  People are people not job titles.  When I read through the “7 ways” I didn’t see anything that didn’t apply to everyone else.  The article read as if someone who is a security professional is different then another employee with security awareness training.

Also when discussing security you need to remember that nothing is 100% and so we have to pick our battles.  My favorite was the hit on URL shortening services.  These services are very popular with the Twitter crowd due to the limited number of characters allowed.  They seem to think that clicking on a hyperlink that says “tinyurl.com/83jd9″ is less safe than clicking on an hyperlink that says <a href=”evilurl.example.com”>Free Windows 7</a>.

The issue that I’ve written about several times has to do with educating everyone “Security Pro’s” and “Joe/Jane User.”  Also knowing what data we need to protect and how to protect it.  Maybe the person clicking on the TinyURL link is running a browser in a sandbox on a hardened host.  Odds are even a malicious link won’t cause any harm.

Complicated fads and false promises are not the solution.  I think we have all learned that security professionals are human and creatures of convenience like the rest of us.  As its been said time and time again.  Security that is anything but simple and transparent isn’t going to work.  If you want us to encrypt our storage devices then you’ll  need to make it work like the unencrypted storage devices we have today.  If you want us to use strong authentication.  It will need to be easier then the passwords we use today.

Bottom line is that like everything else security should make our lives easier not harder.  We shouldn’t need two sets of standards one for security professionals and one for none security professionals.  Security should be “built in” and an effect not a cause.

It’s about the data not the technology.

I was asked about the best way to secure a computer yesterday and caught myself going into a list of security software, hardware and best practices, when my answer should have been a follow up question. What kind of data do you want to protect? We so often get caught up in all the cool security technology that we forget the reason for the technology is to support the goal of protecting our information.

When I started in computers in the 90’s I built a few custom systems for various people and businesses. My first question was always the same to both groups. What do you plan to use the computer for? After I got that question answered, I could ask the right questions about software and hardware to give them the “solution” they needed.

I think we need to make more of an effort to get back to that. I think the first question that should be asked of anyone, individual or business, is what kind of data do you plan to store, process and transmit? After knowing the answer to that question can we then start to ask the right questions about software, hardware and recommend the right “solution” to customers.

I know that sometimes the right questions are asked. I know that many businesses and individuals are doing the right things when it comes to security. My question is how do we get everyone else on board? Vendors sell solutions. The problem as I see it is nobody bothers asking the right questions, thus nobody knows the right “solution” for the customer.

Let me know what you think in the comments.

Secunia PSI now inspects browser plugins for secure browsing.

Late last year I wrote a post on Secunia PSI, which is a free program (for personal use) that will inspect all the software installed on your Windows system and provide a report on what applications installed are insecure, assuming a fix is available. I’ve been suggesting PSI to friends, family and students for sometime but yesterday Secunia release a new BETA.
The latest BETA from Secunia has added a “Secure Browsing” feature. Here is the description found on the Secunia blog.

Secure Browsing
Secure Browsing is without a doubt one of the most important aspects of online security. If your browser (Internet Explorer, Firefox, etc.) or its plugins  (Adobe Flash Player, QuickTime, Sun Java, etc.) is vulnerable, then you’re exposed to security threats every single time you visit a website. This is a fact that can’t be disputed.

A new feature in the Secunia PSI, called “Secure Browsing”, is here to help.

We know that keeping track of your installed browsers, browser plugins, and programs that integrate directly with your browser can be very difficult.

The “Secure Browsing” feature tell you what programs and plugins are integrated directly with your browsers – it is extremely important to know that it’s not just your browser you start up and expose when surfing.

As an additional bonus, the “Secure Browsing” feature also includes information about unpatched vulnerabilities. Vulnerabilities where the vendor has yet to react and create a proper solution to a known security problem.

I think this is a great new feature to add to PSI. In addition to keeping your installed client-side applications secure Secunia PSI can now help you keep you Web Browsers secure as well.

I pulled down the latest BETA yesterday and so far I’ve been happy with it. So if you are already using PSI, I would suggest upgrading to the BETA and if you’ve never use PSI now might be a great time to start.

Download the free Secunia PSI 1.0.0.5 BETA:
http://secunia.com/PSISetupBeta.exe

DIY CISS Degree: 100 Open Courses on Computer Information Systems and Security

I was sent an email today by Kelly Sonora about some free open courses.  I was familiar with the MIT Open Courses, when they started offering those several years ago, but the other schools were new to me.  Shown below is a list of the “Security” related courses.  The complete list includes courses covering numerous topics including but not limited to databases, web development, business management, law, and more.  So if your looking for some formal academic training, I would suggest you check these course out.

Security

1. Network and Computer Security: Through this course, students will learn to create secure multi-computer networks, encrypt data, use security monitoring software, access risk and much more. [MIT]
2. Selected Topics in Cryptography: If you’d like to address some of the more advanced issues in cryptography, this course is an ideal way to do so. [MIT]
3. Cryptography and Cryptanalysis: Check out these courses for a great introduction to the modern uses of cryptography. [MIT]
4. Advanced Topics in Cryptography: Focusing on topics like interactive proofs, zero-knowledge proofs, secure protocols, and two-party secure computation, this course will help you take your cryptography studies to the next level. [MIT]
5. Introduction to Information Security: This course is a very basic introduction to the reasons and methods for securing confidential information. [OpenLearn]
6. Network Security: Beginners can learn the basics of network security through this course. [OpenLearn]
7. Hyper-Encryption by Virtual Satellite: Watch this video lecture to learn about the role satellites may play in encryption and the failings of many present methods. [Harvard@Home]
8. A Worldview through the Computational Lens – Part III: Cryptography: Secrets, Lies, Knowledge, and Trust: Those interested in the role of computers in the modern world will enjoy this lecture that focuses on the benefits and problems associated with digital security. [Princeton]

As someone who takes pride in being a lifelong learner, I would also suggest those looking for more resources checkout iTunes U.  They have a small collection of “security” related courses that are free for download.  Again these are all from an academic perspective, but unlike professional “just the facts” type classes it never hurts to have a solid foundation of the fundamentals to build upon.

If you have additional resources for quality “security” related training please post them in the comments.

Compliance mandates shouldn’t be your companies security baseline.

This week I started teaching a new session of classes.  One of the classes I’m teaching is on ethics, policies and procedures.  The objective of the class is to teach students the ethic’s associated with network security.  The process of developing policies including standards and guidelines in addition to the procedures that go with them.  No matter what I do I always feel like the class turns into a business/psychology type of class rather then a network security class.  I guess that because the the reason for policies and procedures is because of users and the need to protect company data.

The first part of the class we focus on policies.  One of the items we discuss is where do these policies come from.  We all know that the mission of any business is to make money.  So if security is a cost center, then how does a business decide what money it will spend on security?  Well one motivator for businesses to spend money is to meet compliance mandates.  This comes back to a business will not spend money on something unless it has to by law or because it provides an ROI.

The ones we focus on in class include PCI/DSS, GLBA, HIPAA, FISMA and ISO 27001/27002.  All of which are discussed in some detail thought the class.  The problem that I have is for some businesses these mandates are the baseline for their security.  Meaning that some business will only spend money on security to the point they are compliant and then stop.  Now this could be for a number of reasons.  Time restraints, costs, lack of resources to do anything more, etc.  The point is that some believe that nothing bad can happen to them, until it does.  I honestly don’t know why.  What I do know is that none of the security compliance mandates I listed is intended to be the “be-all end-all” for securing a business.  Each one has a focus and that focus does not take into account any other aspect of the business or the technology involved.

So if you’re in a position to drive change in your department, organization or the corporation.  Please help to educate and communicate the real security requirements needed to protect the companies mission, its customers and its employees.  I think one of the clearest and most concise statement about compliance recently made was by Michael Starks in his “An Open Letter to CEO’s” post.

…we need to have a security program that is perpetually healthy–one that creates and builds a security culture.  It needs to be healthy enough where passing audits is a natural consequence of how we handle information.

Meeting security compliance mandates should be a positive side effect of your security practices not the motivation for them.

I am always open to feedback so please feel free to post a comment.